package com.itheima.health.config;

import com.itheima.health.security.MyUserDetailsService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.authentication.configurers.provisioning.InMemoryUserDetailsManagerConfigurer;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
//@EnableGlobalMethodSecurity(prePostEnabled = true)  //开启权限控制注解
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private MyUserDetailsService myUserDetailsService;

    /**
     * @Author: JASON
     * @Date: 11:04 2021/1/13
     * @Parms [auth]
     * @ReturnType: void
     * @Description: 创建用户和权限角色的配置
    */
    //auth.inMemoryAuthentication() 创建一个基于内存的用户信息配置类
    //withUser("admin").password("{noop}1234") 添加用户和密码  {noop} 不加密
    //authorities("ROLE_ADMIN") 配置权限和角色  以ROLE_ 开头的为角色  add表示权限
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        //指定自己的userDetails  使用自己的不适用InmemoryUserDetails
        auth.userDetailsService(myUserDetailsService);
//        InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> configurer = auth.inMemoryAuthentication();
        //auth.inMemoryAuthentication().withUser("admin").password("{noop}1234").authorities("ROLE_ADMIN")
        //.and().withUser("zhangsan").password("{noop}1234").authorities("ROLE_01","add")
        //.and().withUser("lisi").password("{MD5}81dc9bdb52d04dc20036dbd8313ed055").authorities("ROLE_02","find");
    }

    //secutity原来的逻辑只要登录就可以访问全部  要替换访问的配置
    /**
     * @Author: JASON
     * @Date: 11:04 2021/1/13
     * @Parms [http]
     * @ReturnType: void
     * @Description: 配置权限和角色访问控制
    */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //http.authorizeRequests() 开启一个访问控制规则
        //.antMatchers() 通过ant表达式指定要进行控制的请求
        //.access() 通过表达式指定访问规则
        http.authorizeRequests().antMatchers("*.js","*.css").access("permitAll()");
        http.authorizeRequests().antMatchers("/pages/checkitem.html").access("hasAnyAuthority('ROLE_ADMIN','add')"); //有add权限和role_admin权限
        http.authorizeRequests().antMatchers("/pages/checkgroup.html").access("hasAuthority('find')");  //必须具备find劝降
        http.authorizeRequests().antMatchers("/main.html","/pages/**").access("isAuthenticated()");  //登录就可以访问
        //使用自带的登录页面   自定义相关的登录  登录失败等页面
        http.formLogin()
       //自定义登录页面    登录成功请求的接口地址 /sec/login
        .loginPage("/login.html").loginProcessingUrl("/sec/login").failureUrl("/login-fail.html").defaultSuccessUrl("/main.html");
                // .loginProcessingUrl 自定义登录路径 默认为/login
                //.defaultSuccessUrl() 自定义登录成功
                //.failureUrl（）自定义登录失败页面
        //关闭防csrf攻击
        http.csrf().disable();
        //权限不足跳转页面     (走请求转发)
        http.exceptionHandling().accessDeniedPage("/auth-fail.html");
        //指定登出接口invalidateHttpSession() 让session失效  logoutUrl  登出地址/sec/logout 地址栏输入可以退出
        http.logout().logoutUrl("/sec/logout").logoutSuccessUrl("/login.html").invalidateHttpSession(true);
    }
}

